The present invention relates to Internet user states and privacy, and more particularly to a key-based method and system with user key and optional seeding for creating secure Internet user states between one or more servers and one or more users.
The Internet is well known in the art. Generally, the Internet is a network of computers that spans most of the world. The Internet uses the HTTP protocol. Because HTTP is a stateless, or non-persistent, protocol, it is not possible for web servers to differentiate between visits by a specific user unless the web server can somehow mark the user to create a state or logical nexus between the web server and a specific user. Thus, each visit by an Internet user to a website is unique, in that the website does not generally know the identity of the user and/or other information about the user, with the exception of a few details such as browser type, IP address, etc. It should be noted, however, that when a user has a fixed IP address, the user""s identity or information about the user may be known by logical relation to a database. But, since the majority of Internet users are assigned dynamic IP addresses each time they connect to the Internet, reliance on a user""s IP address to create a state is problematic since their IP addresses may change each time a user connects to the Internet.
To remedy the problem of HTTP""s stateless nature, cookies have been introduced for the specific purpose of creating states. They may be temporary, in which case they are stored only in memory; or persistent, in which case they are stored in a file, typically on a hard drive, for period of time measured by an expiration date field of a cookie. A cookie may be thought of as a data structure stored in the memory or on the storage device of a user""s computer, with the cookie containing data, such as the user""s identity and/or other information about the user for the purpose of creating a state between the web server and the user. Thus, when a user visits a particular website, a cookie stored on a user""s computer may be sent from the user""s computer over the Internet to the web server, which then extracts the data from the cookie, processes the data and therewith creates a state. For example, a user""s name may be stored in a cookie and when that user visits a particular website, the data contained in the cookie may be sent to the server and used to identify the user.
More specifically and typically, when a user first visits an Internet website, a web server associated with the website may send a cookie to the user, which is then stored in the memory or on the hard drive of a user""s computer, in conjunction with the user""s Internet browser software. When the user subsequently visits the website, the cookie may be sent back to the server so that the user""s identity and/or other information about the user that is stored in the cookie may be known to the server via the data contained in the cookie, such that a state between the user and the web server is created.
However, the use of cookies has created a significant problem relating to user privacy. Because these cookies are stored on a user""s computer, especially when on a hard drive, other servers may potentially access the cookies of other servers and extract and read the user""s identity and/or other information about the user that is stored in those cookies. Such extracting and reading is considered by many as an invasion of the user""s privacy.
An attempted solution to protect the privacy of Internet users is provided in RFC 2109, HTTP STATE MANAGEMENT MECHANISM, having a publication date of February, 1997. This solution involves a domain restriction on reading and writing cookies, which must be implemented in conjunction with a user""s particular browser software for effectuation. For example, a web server associated with the domain thissite.com may write a cookie having the domain value .thissite.com. According to the domain restriction, this cookie may only be read by a server within the specified domain and related sub-domains. For example, while the servers at thissite.com, L1.thissite.com, L2.L1.thissite.com, etc. may read the cookie having the domain value .thissite.com, the servers othersite.com, L1.othersite.com, L2.L1.othersite.com may not read the cookie having the domain value .thissite.com. While this methodology appears adequate on its face, practically it is not. It suffers from at least four deficiencies.
A first problem is that this methodology requires software vendors producing browser software to implement this domain restriction. While mainstream vendors may attempt to comply, other smaller vendors may not. Thus, failed compliance may create a hole through which a user""s privacy may be invaded via the unauthorized access of cookies despite the existence of a domain restriction.
A second problem is that despite attempted compliance, one or more bugs or exploits in the browser software may exist and be exploited; thus, also creating a hole through which a user""s privacy may be invaded. For example, as identified in the article, COOKIE EXPLOIT, published by COOKIE CENTRAL(trademark) on Dec. 14, 1998, such a bug did exist and a hole was potentially created and exploited. The bug allowed cookies to be shared between unrelated domains, despite the domain restriction implemented by some if not all cookie-based Internet browser applications. Basically, by concatenating an ellipse (xe2x80x9c . . . xe2x80x9d) at the end of the domain value set in a cookie, other unrelated servers were able to read those cookies. Such a domain value may be xe2x80x9c.thissite.com . . . xe2x80x9d According to this article, at the time of publication all mainstream Internet browser applications were vulnerable to this exploit. Indeed, the article goes on to assert that the most popular Internet browser applications, INTERNET EXPLORER(trademark) and NETSCAPE(trademark), were known to be vulnerable on the WINDOWS(trademark), MAC(trademark) and LINUX(trademark) platforms. Thus, the domain restriction was nullified and servers participating in the exploitation of this bug were able to access cookies from domains outside their own domain, which is exactly what the domain restriction of RFC 2109 was intended to prevent. Thus, the privacy of Internet users benefiting from the use of cookies was unequivocally subject to invasion.
A third problem is that the cookies stored on a user""s hard drive may be viewed by a person who is physically using the user""s computer. The location and naming of cookie files stored on a user""s hard drive are generally known or discoverable by those skilled in the art. For example, it is well known in the art that the browser software application NETSCAPE(trademark) that is developed and distributed by NETSCAPE COMMUNICATIONS CORPORATION(trademark) generally stores cookies in a user directory in a single file named xe2x80x9ccookie.txtxe2x80x9d. One physically using a user""s computer may open such a file with a simple text editor and directly view and/or print the data contained in all cookies present, which is clearly an invasion of the user""s privacy.
A fourth problem is that under certain conditions servers may directly read cookie files outside the domain restriction set in the cookies. It is generally known in the art that where a user""s Internet browser software is configured to enable JAVA script, specific files having a known name (such as, xe2x80x9ccookies.txtxe2x80x9d) may be directly accessed, read and transmitted to some location over the Internet by a xe2x80x9cvirusxe2x80x9d embedded within such JAVA script. Additionally, a devious program may also contain such a virus that can do the same. Many Internet users download and run executable programs from the Internet knowingly and unknowingly risking the infection of a virus; and therefore, this risk is present and real. The location of cookie files are generally known or discoverable to those ordinarily skilled in the art. Indeed, such a virus may execute a xe2x80x9cdirectoryxe2x80x9d command to obtain the names of files and directories on a hard drive; for example, a directory listing of files and directories in the xe2x80x9cc: windows Temporary Internet Filesxe2x80x9d directory or xe2x80x9cc: Program Files Netscape Usersxe2x80x9d directory. The former may produce cookie files produced by INTERNET EXPLORER; while the latter may produce the names of the directories of users of NETSCAPE (i.e., John), which may be used to access the NETSCAPE cookie file, which in this case would be xe2x80x9cc: Program Files Netscape Users John cookies.txtxe2x80x9d. Indeed, the surreptitious harvesting of cookies files is available to those seeking it; and the privacy of Internet users are subject to invasion.
Another attempted solution is practiced by some industry participants. This attempted solution involves storing in persistent cookies a primary key (or database index) to a database containing data records of user information, rather than storing the private data in the persistent cookies. Thus, the unauthorized viewing or reading of a primary key does not appear to be an invasion of privacy. While some, including the public, may consider such a practice as sufficient in protecting user privacy from invasion, practically it is insufficient and provides a false sense of security.
By definition, primary keys are unique within a defined universe. Thus, within a defined universe of Internet users, a single primary key uniquely identifies one or more database records that relate to a specific user. Where the contents of a database are known or obtained by a party (i.e., possessed, or hacked into and harvested), an Internet user, within the defined universe, visiting a website associated with that party risks an invasion of privacy. If the user has a primary key stored in a persistent cookie on the user""s hard drive, access to that cookie may allow information relating to the user in the database to be referenced and used by the party to establish an undesired state between the website and the user. In addition, other information about the user that may be harvested during the visit from other cookies stored on the user""s hard drive may be combined with the user""s data in the database. For example, the database may only contain the user""s name, address and phone number. But data harvested from the user""s other cookies may reveal that the user had visited a website associated with herbal treatments for those with HIV, a website associated with HIV treatment centers in the user""s town and a website associated with HIV research. By combining this health-related data with the database data, the name, address and phone number of a person who appears to have HIV is now known. Where the person does in fact have HIV and sought to keep his or her ailment private, this combined information results in the person""s privacy being clearly invaded.
Therefore, there is a need to efficiently create secure Internet user states between web servers and Internet users in order to protect the privacy of Internet users from invasion while overcoming the deficiencies and contrary teachings presented in and by the prior art.
Application Ser. No. 09/475,638 (xe2x80x9cCC#1xe2x80x9d) discloses a method and system for creating secure Internet user states between one or more servers and one or more Internet users. The invention disclosed therein is carried out by receiving by a server over the Internet from a user private data relating to the user via user input; assigning by the server the private data in encrypted format to the data field of a cookie; and sending the cookie back to the user""s computer for storage, so that when the user later requests data from the server, the cookie is sent back by the user""s computer to the server, which extracts the encrypted private data, decrypts the encrypted private data and uses the decrypted private data to establish an Internet state between the server and the user based on the decrypted private data.
Application Ser. No. 09/491,225 modifies CC#1 by, inter alia, utilizing a keybased encryption algorithm to encrypt private data relating to a user, and thereafter storing the encrypted data and the encryption key used to encrypt the data in the data field of a cookie.
Application Ser. No. 09/491,059 modifies CC#1 by, inter alia, utilizing a keybased encryption algorithm to encrypt private data relating to a user, and thereafter storing the encrypted data and an index associated with the encryption key used to encrypt the data in the data field of a cookie.
An object of the present invention is to protect the privacy of Internet users by protecting private user data used for establishing Internet user states.
Another object of the present invention is to protect the privacy of Internet users by protecting private user data used for establishing Internet user states without requiring implementation of new Internet protocols.
Another object of the present invention is to protect the privacy of Internet users by protecting private user data used for establishing Internet user states without requiring additional compliance by Internet browser software vendors.
Another object of the present invention is to protect the privacy of Internet users by protecting private user data used for establishing Internet user states despite the existence of Internet browser software bugs that allow unauthorized access to user cookies.
Another object of the present invention is to protect the privacy of Internet users by protecting private user data used for establishing Internet user states despite the existence of an unauthorized person physically viewing the contents of a user""s cookies.
Another object of the present invention is to protect the privacy of Internet users by protecting private user data used for establishing Internet user states despite the unknown existence on an Internet user""s computer of a program or script that transmits to a remote server the cookies stored on the user""s computer.
Another object of the present invention is to divide control over the decryption of encrypted private data stored in cookies between Internet users and Internet servers, in that both a user and a server must each supply a key to decrypt the data.
The present invention is a method and system for creating secure Internet user states between one or more servers and one or more Internet users. The invention is carried out by receiving by a server over the Internet from a user private data relating to the user via user input, accessing a user key associated with the user, creating an encryption key from the user key, encrypting said private data with the encryption key, assigning by the server the encrypted private data to the data field of a cookie, and sending the cookie back to the user""s computer for storage; so that when the user later requests data from the server or a related server, the cookie is sent back by the user""s computer to that server, which extracts the encrypted private data, receives the user key over the Internet from the user, re-creates the encryption key from the user key, decrypts the encrypted private data with the encryption key and uses the decrypted private data to establish a state between that server and the user. Optionally, the present invention may include seeding the private data prior to encryption and assignment.
Other desires, features, and advantages of the present invention will be apparent from the accompanying drawings and the detailed description that follows.